This documentation is for WSO2 Identity Server 5.6.0. View documentation for the latest release.
Page Comparison - Sending Notifications to External PEP Endpoints (v.4 vs v.5) - WSO2 Identity Server 5.6.0 - WSO2 Documentation

All docs This doc

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. If you are using EMAIL as the notification method, configure email transport details using the axis2.xml file. Follow the steps below to configure this: 
    1. Navigate to the <IS_HOME>/repository/conf/axis2/axis2.xml file.
    2. Configure the relevant attributes according to your email account information. The following is a sample configuration.

      Code Block
      languagexml
      <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender">
      	<parameter name="mail.smtp.from">wso2demomail@gmail.com</parameter>
      	<parameter name="mail.smtp.user">wso2demomail</parameter>
      	<parameter name="mail.smtp.password">mailpassword</parameter>
      	<parameter name="mail.smtp.host">smtp.gmail.com</parameter>	 
      	<parameter name="mail.smtp.port">587</parameter>
      	<parameter name="mail.smtp.starttls.enable">true</parameter>
      	<parameter name="mail.smtp.auth">true</parameter>
      </transportSender>
  2. Create an email template in <carbon-home>/repository/conf/email directory as shown below. Use this template path in the below configurations. Here, entitlement-email-config.xml is a sample template which contains the below code part.

    Code Block
    Hi {username},
    
    XACML PDP policy store has been changed..
    
     Policy Id : {targetId}
     Action : {action}
     Policy : {target}
    
     Best Regards,
     http://xacmlinfo.org
  3. Do the following to send notifications to external endpoints when there is a policy change.

    1. Navigate to the <IS_HOME>/repository/conf/identity/entitlement.properties file.
    2. Make the following change.

      Code Block
      PAP.Status.Data.Handler.2=org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension

      Here the trailing number that is added after "PAP.Status.Data.Handler" should be the minimum positive number you can add for a new "PAP.Status.Data.Handler".

  4. Additionally, add the following to the entitlement.properties file and change accordingly. If you are sending notifications via email, use this and change the recipient email address.

    Code Block
    #org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.1=notificationType,JSON
    #org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.1=notificationType,XML
    org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.1=notificationType,EMAIL
    
    org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.2=ignoreServerVerification,true
    
    #org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.3=targetUrl,http://targetUrlAddress;username;password
    org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.3=emailAddress,wso2demomail@gmail.com
    
    org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.4=pdpNotificationAction,ENABLE;DISABLE;UPDATE;DELETE
    
    org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.5=papNotification,true
    
    org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.6=pdpNotification,true
    
    org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.9=roleName, admin
    
    

    The following table lists out and describes the above attributes.

    AttributeDescription
    notificationTypeThis is the type of the notification supported by the module. This can be EMAIL, XML or JSON.
    pdpNotificationThis attribute is for PDP notifications. This specifies whether a notification must be sent for PDP policy store changes. By default, this is enabled, but if you want to disable the policy configurations, you can disable it by configuring this property
    pdpNotificationActionThis attribute is for PDP notification actions. This enables notifications for specified actions. There are four actions and you can define multiple actions using the semicolon. For example, ENABLE;DISABLE;UPDATE;DELETE. By default, notifications are sent to all type of changes, but if you want to limit it, you can configure this attribute.
    papNotificationThis identifies whether a notification must be sent for PAP policy store changes. By default this is disabled and you can enable it by configuring this property.
    targetUrlThe target URL is written as "target url;username;password". The ";" symbol is used as the separator.
    roleNameThis attribute represents the user group. If the EMAIL notification type is used and Target URL is not defined, you can define the user group that the email must be sent to using this attribute. For example, you can use this if you need to send the email to all the members of the Administrator group.
    ignoreServerVerificationThis is related to SSL verification configuration. This attribute is responsible for the decision on whether to ignore or validate SSL verification for the endpoint URL, if XML and JSON are the notification types used.
    emailTemplateFileIf the EMAIL notification is used, the subject, body, and footer of the email must be defined. These can be uploaded from a separate file. There is a default format for the email that can be overridden. If you want to override it, you can configure the location to a template file using this. You need to configure the absolute path for the template file.
    emailSubjectThis is the subject of the email. This is necessary if you wish to change the default email support used by the module.
    emailAddressThe email address that you want to send the email to.
  5. In order to send notifications to external endpoints when a user attribute is updated, update the msg-mgt.properties file in the <IS_HOME>/repository/conf/identity/ directory and add the following configurations to it. Change it according to your notification module. The sample below shows how email notification can be configured.

    Code Block
    module.name.1=email
    email.subscription.1=userOperation
    email.subscription.userOperation.template=/home/wso2dinali/SUPPORT/TRAVISPERKINSDEV-312/wso2is-5.3.0/[IS_HOME]/repository/conf/email/entitlement-email-config.xml
    email.subscription.userOperation.salutation=Admin
    email.subscription.userOperation.subject=User operation change information
    email.subscription.userOperation.endpoint.1=privateMail
    email.subscription.userOperation.endpoint.privateMail.address=wso2demomail@gmail.com
    email.subscription.userOperation.endpoint.privateMail.salutation=wso2demomail@gmail.com
    email.subscription.userOperation.endpoint.privateMail.subject= The User Operation change has occured.
    #
    email.subscription.userOperation.endpoint.2=wso2demomail@gmail.com
    email.subscription.userOperation.endpoint.officeMail.address=wso2demomail@gmail.com
    #
    email.subscription.2=policyUpdate
    email.subscription.policyUpdate.template=<full path to the carbon- home>/repository/conf/email/entitlement-email-config.xml
    email.subscription.policyUpdate.salutation=Admin
    email.subscription.policyUpdate.subject= policy update information mail
    email.subscription.policyUpdate.endpoint.1=privateMail
    email.subscription.policyUpdate.endpoint.privateMail.address=wso2demomail@gmail.com
    email.subscription.policyUpdate.endpoint.privateMail.salutation=Admin 
    email.subscription.policyUpdate.endpoint.privateMail.subject=policy update information to private wso2demomail@gmail.com
    #
    #module.name.2=json
    #json.subscription.1=userOperation
    #json.subscription.userOperation.template=templatePath/jsonTemplate
    #json.subscription.userOperation.jsonId=3232
    #json.subscription.userOperation.endpoint.1=pepEndpoint1
    #json.subscription.userOperation.endpoint.pepEndpoint1.address=https://localhost:8080/testEndpoint1
    #json.subscription.userOperation.endpoint.pepEndpoint1.username=testUsername
    #json.subscription.userOperation.endpoint.pepEndpoint2.password=testPW
    #
    #json.subscription.userOperation.endpoint.2=pepEndpoint2
    #json.subscription.userOperation.endpoint.pepEndpoint2.address=https://localhost:8080/testEndpoint2
    
    threadPool.size = 10
  6. It is recommended to use https to communicate with external endpoints. In that case, import your certificates to client-truststore.jks in the Identity Server. You can use the Java keytool command to do it. The following is a sample command. Note that the default password for client-truststore.jks is "wso2carbon".

    Code Block
    keytool -import -alias wso2 -file <path_to_your_certificate_file>/yourCertificate.crt -keystore <CARBON_SERVER>/repository/resources/security/client-truststore.jks